LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Ximian on Debian Potato

[ILUG] Ximian on Debian Potato

Paul J Collins sneakums at zork.net
Thu Apr 26 11:52:48 IST 2001 

>>>>> "JW" == Jerry Walsh <jerry at aardvark.ie> writes:

    JW> At 11:13 26/04/01 +0100, you wrote:

    >> So, every software package you install is cryptographically
    >> signed by some trusted third party you have met in the flesh
    >> and exchanged keys with?

    JW> I didn't say anything about meeting the authors in the flesh
    JW> and exchanging keys with them, i just said there's no
    JW> authenticity on the thing at all - there's not even an attempt
    JW> of it.

I brought up the whole "met in the flesh" thing because that's the
only way to do key exchange in a meaningful way.  Debian's GPG
key-ring is constructed by people either meeting in the flesh or
supplying a few forms of ID to an existing Project member.  Trusting
keys based on a widley-disseminated key fingerprint is less secure,
but not as bad as implicit trust.

    JW> 99% of the software i install and maintain on my machine
    JW> (freebsd) is from the ports which at least have an md5
    JW> checksum on each file it downloads i'm not saying that itself
    JW> is hugely secure nothing's secure but it just makes it harder
    JW> for someone to start doing nasty stuff.

If someone takes the effort to penetrate a ports server and compromise
a package, they are unlikely to omit altering the file with the
checksums in it.  The checksums are more a guard against damage in
transit than anything else.

    >> You are no more exposed by running the go-gnome.sh than you are
    >> by installing the packages.

    JW> I've used debian once - i don't like but isn't there at least
    JW> an md5 sum check done on the packages?

There is, but the Packages file, wherein the checksum lives, is part
of the same directory tree as the packages themselves.  If the
packages are compromised, so are the checksums.  The md5sums are not
an anti-tampering measure.

    JW> With this go-gnome.sh you pass it directly to a root shell, no
    JW> checks no nothing

Same as with debs, RPMs or indeed ports from the collection.

-- 
"Weaseling out of things is what separates us from the 
 animals ... except the weasel."
	-- Emad El-Haraty

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell